Pulogalamu ya ProHoster > Blog > Ulamuliro > Momwe mungathetsere zovuta zapakhomo IPsec VPN. Gawo 1

Momwe mungathetsere zovuta zapakhomo IPsec VPN. Gawo 1

Momwe mungathetsere zovuta zapakhomo IPsec VPN. Gawo 1

Zinthu

Tsiku lopuma. Ndimamwa khofi. Wophunzirayo adakhazikitsa kulumikizana kwa VPN pakati pa mfundo ziwiri ndikuzimiririka. Ndimayang'ana: palidi ngalande, koma palibe magalimoto mumsewu. Wophunzira samayankha mafoni.

Ndinayika ketulo ndikudumphira mu S-Terra Gateway kuthetsa mavuto. Ndimagawana zomwe ndakumana nazo komanso njira yanga.

Zambiri

Masamba awiri olekanitsidwa ndi malo amalumikizidwa ndi ngalande ya GRE. GRE iyenera kulembedwa:

Momwe mungathetsere zovuta zapakhomo IPsec VPN. Gawo 1

Ndikuyang'ana magwiridwe antchito a njira ya GRE. Kuti ndichite izi, ndimayendetsa ping kuchokera ku chipangizo cha R1 kupita ku mawonekedwe a GRE a chipangizo cha R2. Awa ndiye anthu omwe amatsata kubisa. Palibe yankho:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms

Ndimayang'ana zipika pa Gate1 ndi Gate2. Lolembali likunena mosangalala kuti njira ya IPsec idakhazikitsidwa bwino, palibe vuto:

root@Gate1:~# cat /var/log/cspvpngate.log
Aug  5 16:14:23 localhost  vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter 
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1

M'mawerengero a IPsec tunnel pa Gate1 ndikuwona kuti palidi ngalandeyi, koma kauntala ya Rсvd yakhazikitsidwanso ku zero:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0

Ndimavutitsa S-Terra monga chonchi: Ndimayang'ana komwe mapaketi omwe amatsata atayika panjira kuchokera ku R1 kupita ku R2. Munjira (spoiler) ndipeza cholakwika.

Kusaka zolakwika

Gawo 1. Zomwe Gate1 amalandira kuchokera ku R1

Ndimagwiritsa ntchito paketi yolumikizira - tcpdump. Ndikuyambitsa sniffer mkati (Gi0/1 mu Cisco-like notation kapena eth1 mu Debian OS notation) mawonekedwe:

root@Gate1:~# tcpdump -i eth1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64

Ndikuwona kuti Gate1 ilandila mapaketi a GRE kuchokera ku R1. Ndikupita patsogolo.

Gawo 2. Zomwe Gate1 imachita ndi mapaketi a GRE

Pogwiritsa ntchito chida cha klogview ndikutha kuwona zomwe zikuchitika ndi mapaketi a GRE mkati mwa driver wa S-Terra VPN:

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated

Ndikuwona kuti chandamale GRE traffic (proto 47) 172.16.0.1 -> 172.17.0.1 idabwera pansi pa lamulo la LIST encryption mu CMAP crypto mapu ndipo idalumikizidwa. Pambuyo pake, paketiyo idathamangitsidwa (kutuluka). Palibe kuchuluka kwa mayankho pazotulutsa za klogview.

Ndikuyang'ana mindandanda yofikira pa chipangizo cha Gate1. Ndikuwona mndandanda umodzi wofikira LIST, womwe umatanthawuza chandamale cha magalimoto obisala, zomwe zikutanthauza kuti malamulo a firewall sanakhazikitsidwe:

Gate1#show access-lists
Extended IP access list LIST
    10 permit gre host 172.16.0.1 host 172.17.0.1

Kutsiliza: vuto siliri ndi chipangizo cha Gate1.

Zambiri za klogview

Woyendetsa VPN amayendetsa magalimoto onse pamanetiweki, osati kuchuluka kwa magalimoto omwe amayenera kubisidwa. Awa ndi mauthenga omwe akuwoneka mu klogview ngati woyendetsa VPN adakonza kuchuluka kwa ma netiweki ndikutumiza mosabisa:

root@R1:~# ping 172.17.0.1 -c 4

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filtered

Ndikuwona kuti magalimoto a ICMP (proto 1) 172.16.0.1->172.17.0.1 sanaphatikizidwe (palibe machesi) m'malamulo achinsinsi a CMAP crypto khadi. Phukusili linayendetsedwa (kutuluka) m'malemba omveka bwino.

Gawo 3. Zomwe Gate2 amalandira kuchokera ku Gate1

Ndikuyambitsa sniffer pa WAN (eth0) Gate2 mawonekedwe:

root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140

Ndikuwona kuti Gate2 ilandila mapaketi a ESP kuchokera ku Gate1.

Khwerero 4. Zomwe Gate2 imachita ndi mapaketi a ESP

Ndikuyambitsa chida cha klogview pa Gate2:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall

Ndikuwona kuti mapaketi a ESP (proto 50) adagwetsedwa (DROP) ndi lamulo la firewall (L3VPN). Ndikuwonetsetsa kuti Gi0/0 ili ndi mndandanda wofikira wa L3VPN wolumikizidwa nayo:

Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 10.10.10.252/24
  MTU is 1500 bytes
  Outgoing access list is not set
  Inbound  access list is L3VPN

Ndinazindikira vuto.

Khwerero 5. Cholakwika ndi chiyani pamndandanda wofikira

Ndimayang'ana zomwe mndandanda wa L3VPN wofikira uli:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit icmp host 10.10.10.251 any

Ndikuwona kuti mapaketi a ISAKMP amaloledwa, kotero ngalande ya IPsec imakhazikitsidwa. Koma palibe lamulo lothandizira ESP. Mwachiwonekere, wophunzirayo adasokoneza icmp ndi esp.

Kusintha mndandanda wofikira:

Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 any

Gawo 6. Kuyang'ana magwiridwe antchito

Choyamba, ndikuwonetsetsa kuti mndandanda wa L3VPN ndi wolondola:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit esp host 10.10.10.251 any

Tsopano ndikuyambitsa chandamale chandamale kuchokera ku chipangizo cha R1:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 ms

Kupambana. Njira ya GRE yakhazikitsidwa. Kauntala yomwe ikubwera mu ziwerengero za IPsec si zero:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480

Pachipata cha Gate2, pazotulutsa za klogview, mauthenga adawoneka kuti omwe akutsata 172.16.0.1->172.17.0.1 adatsitsidwa bwino (PASS) ndi lamulo la LIST mu mapu a CMAP crypto:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulated

Zotsatira

Wophunzira wina anawononga tsiku lake lopuma.
Samalani ndi malamulo a ME.

Katswiri wosadziwika
t.me/anonymous_engineer

Source: www.habr.com

Kuwonjezera ndemanga